22980 – new php 5.6.36 available

Bug 22980 - new php 5.6.36 available

Summary: new php 5.6.36 available

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-05-01 20:38 CEST by Marc Krämer
Modified:	2018-05-04 19:30 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	php-5.6.35-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2018-05-01 20:38:50 CEST

A few issues fixed:
http://php.net/ChangeLog-5.php#5.6.36

Comment 1 Franz Holzinger 2018-05-01 20:55:41 CEST

wrong topic.
It should have been "new php 5.6.36 available"

CC: (none) => flink
Ever confirmed: 1 => 0
Status: NEW => UNCONFIRMED

Marc Krämer 2018-05-01 20:57:25 CEST

Summary: new php 5.3.36 available => new php 5.6.36 available

Comment 2 Marc Krämer 2018-05-01 21:04:42 CEST

Suggested advisory:
========================

Updated php packages fix security vulnerabilities:

- Heap Buffer Overflow (READ: 1786) in exif_iif_add_value (CVE-2018-10549)
- Stream filter convert.iconv leads to infinite loop on invalid sequence (CVE-2018-10546)
- Malicious LDAP-Server Response causes Crash. (CVE-2018-10548)
- incomplete PHAR Fix (CVE-2018-10547)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10549
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10546
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10547
========================

Updated packages in core/updates_testing:
========================
php-ini-5.6.36-1.mga6
apache-mod_php-5.6.36-1.mga6
php-cli-5.6.36-1.mga6
php-cgi-5.6.36-1.mga6
libphp5_common5-5.6.36-1.mga6
php-devel-5.6.36-1.mga6
php-openssl-5.6.36-1.mga6
php-zlib-5.6.36-1.mga6
Wrote: /home/iurt/rpmbuild/RPMS/noarch/php-doc-5.6.36-1.mga6.noarch.rpm
php-bcmath-5.6.36-1.mga6
php-bz2-5.6.36-1.mga6
php-calendar-5.6.36-1.mga6
php-ctype-5.6.36-1.mga6
php-curl-5.6.36-1.mga6
php-dba-5.6.36-1.mga6
php-dom-5.6.36-1.mga6
php-enchant-5.6.36-1.mga6
php-exif-5.6.36-1.mga6
php-fileinfo-5.6.36-1.mga6
php-filter-5.6.36-1.mga6
php-ftp-5.6.36-1.mga6
php-gd-5.6.36-1.mga6
php-gettext-5.6.36-1.mga6
php-gmp-5.6.36-1.mga6
php-hash-5.6.36-1.mga6
php-iconv-5.6.36-1.mga6
php-imap-5.6.36-1.mga6
php-interbase-5.6.36-1.mga6
php-intl-5.6.36-1.mga6
php-json-5.6.36-1.mga6
php-ldap-5.6.36-1.mga6
php-mbstring-5.6.36-1.mga6
php-mcrypt-5.6.36-1.mga6
php-mssql-5.6.36-1.mga6
php-mysql-5.6.36-1.mga6
php-mysqli-5.6.36-1.mga6
php-mysqlnd-5.6.36-1.mga6
php-odbc-5.6.36-1.mga6
php-opcache-5.6.36-1.mga6
php-pcntl-5.6.36-1.mga6
php-pdo-5.6.36-1.mga6
php-pdo_dblib-5.6.36-1.mga6
php-pdo_firebird-5.6.36-1.mga6
php-pdo_mysql-5.6.36-1.mga6
php-pdo_odbc-5.6.36-1.mga6
php-pdo_pgsql-5.6.36-1.mga6
php-pdo_sqlite-5.6.36-1.mga6
php-pgsql-5.6.36-1.mga6
php-phar-5.6.36-1.mga6
php-posix-5.6.36-1.mga6
php-readline-5.6.36-1.mga6
php-recode-5.6.36-1.mga6
php-session-5.6.36-1.mga6
php-shmop-5.6.36-1.mga6
php-snmp-5.6.36-1.mga6
php-soap-5.6.36-1.mga6
php-sockets-5.6.36-1.mga6
php-sqlite3-5.6.36-1.mga6
php-sybase_ct-5.6.36-1.mga6
php-sysvmsg-5.6.36-1.mga6
php-sysvsem-5.6.36-1.mga6
php-sysvshm-5.6.36-1.mga6
php-tidy-5.6.36-1.mga6
php-tokenizer-5.6.36-1.mga6
php-xml-5.6.36-1.mga6
php-xmlreader-5.6.36-1.mga6
php-xmlrpc-5.6.36-1.mga6
php-xmlwriter-5.6.36-1.mga6
php-xsl-5.6.36-1.mga6
php-wddx-5.6.36-1.mga6
php-zip-5.6.36-1.mga6
php-fpm-5.6.36-1.mga6
phpdbg-5.6.36-1.mga6
php-debuginfo-5.6.36-1.mga6


Source RPMs: 
php-5.6.36-1.mga6.src.rpm

Marc Krämer 2018-05-01 21:07:11 CEST

Assignee: php => qa-bugs

Comment 3 David Walser 2018-05-01 21:20:36 CEST

As usual it's a security update.  Mageia 5 build also added:
php-5.6.35-1.mga5.src.rpm

Marc, be careful when you update a version, if you do the mgarepo co and don't allow it to download the old source fully (which is fine, I usually don't), when you do mgarepo sync -d it will download the new source but it won't remove the old one from SOURCES/sha1.lst.  You have to do "mgarepo del SOURCES/php-5.6.35.tar.xz" or just remove it from SOURCES/sha1.lst manually.  I cleaned it up for mga6.

Ever confirmed: 0 => 1
Status: UNCONFIRMED => NEW
Whiteboard: (none) => MGA5TOO
QA Contact: (none) => security
Component: RPM Packages => Security

Comment 4 Marc Krämer 2018-05-01 21:26:36 CEST

thanks David, I'll push mga5 too.
Btw. how long do we support mga5? I thought it we've dropped the support.

Comment 5 David Walser 2018-05-01 21:40:55 CEST

I already pushed the Mageia 5 build.  It's not officially supported anymore, but I'm unofficially supporting a limited set of packages.

Comment 6 PC LX 2018-05-02 10:58:19 CEST

Installed and tested without issues.

Tested using several small and large scripts (e.g. drupal, wordpress, custom scripts). Also did some PHP debugging and PHP scripts unit tests. All good.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.38-desktop-1.mga6 #1 SMP Mon Apr 30 13:15:08 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php | sort
apache-mod_php-5.6.36-1.mga6
lib64php5_common5-5.6.36-1.mga6
php-cli-5.6.36-1.mga6
php-ctype-5.6.36-1.mga6
php-curl-5.6.36-1.mga6
php-dom-5.6.36-1.mga6
php-filter-5.6.36-1.mga6
php-ftp-5.6.36-1.mga6
php-gd-5.6.36-1.mga6
php-gettext-5.6.36-1.mga6
php-hash-5.6.36-1.mga6
php-ini-5.6.36-1.mga6
php-intl-5.6.36-1.mga6
php-json-5.6.36-1.mga6
php-mbstring-5.6.36-1.mga6
php-memcached-2.2.0-2.mga6
php-mysqli-5.6.36-1.mga6
php-mysqlnd-5.6.36-1.mga6
php-openssl-5.6.36-1.mga6
php-pdo-5.6.36-1.mga6
php-pdo_mysql-5.6.36-1.mga6
php-pdo_pgsql-5.6.36-1.mga6
php-pdo_sqlite-5.6.36-1.mga6
php-phpmailer-5.2.24-1.1.mga6
php-posix-5.6.36-1.mga6
php-session-5.6.36-1.mga6
php-suhosin-0.9.38-1.mga6
php-sysvsem-5.6.36-1.mga6
php-sysvshm-5.6.36-1.mga6
php-timezonedb-2017.2-1.mga6
php-tokenizer-5.6.36-1.mga6
php-xdebug-2.4.0-1.mga6
php-xml-5.6.36-1.mga6
php-xmlreader-5.6.36-1.mga6
php-xmlwriter-5.6.36-1.mga6
php-zlib-5.6.36-1.mga6

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
CC: (none) => mageia

Comment 7 David Walser 2018-05-02 15:40:27 CEST

My regular battery of tests passed on Mageia 5 x86_64.  Looks good to go.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 8 Lewis Smith 2018-05-04 10:44:48 CEST

Advisory from comment 2 and bug RPMs list.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-05-04 19:30:32 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0222.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.